The web in a box - a next generation web framework for the Perl programming language

IRC log for #mojo, 2015-04-26

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:02 oetiker joined #mojo
00:13 basic6 joined #mojo
00:47 wingfold joined #mojo
00:54 jberger eh, I've just simplified the tests
00:55 jberger that was getting to crazy
01:25 klapperl joined #mojo
01:30 gatitskiy joined #mojo
01:34 rakshasa joined #mojo
01:34 Grinnz sri, any thoughts on how to make something like $tx->res->dom work for XML apis? some like microsoft's do not have processing instructions... right now i have to do Mojo::DOM->new->xml(1)->parse($tx->res->text)
01:35 Grinnz not too bad, but just wonder if there could be an easier way
01:35 jberger Microsoft would do that wouldn't they
01:35 Grinnz :)
01:36 jberger Grinnz: you could prepend the body with your own processing instructions ;D
01:36 Grinnz hahaha, yeah right
01:41 Grinnz jberger, that twitter API my bot is using doesn't even need to be separated into its own distribution :P https://github.com/Grinnz/zircbot/blob/master/lib/Bot/ZIRC/Plugin/Twitter.pm#L294
01:42 Grinnz i'm trying to make all the plugins like that where appropriate
01:45 jberger makes it all the easier to add more functionality later too
01:54 asarch joined #mojo
01:55 Grinnz and then there's the LastFM api, whose JSON version has quite clearly been XML::Simpled (or similar) from their XML api
02:04 memowe joined #mojo
02:17 mattastrophe joined #mojo
02:33 jberger so here's a fun hack: https://gist.github.com/jberger/f2c7057b05ac3e272e20
02:35 cpan_mojo Mojolicious-Plugin-WebFinger-0.06 by AKRON https://metacpan.org/release/AKRON/Mojolicious-Plugin-WebFinger-0.06
02:35 cpan_mojo Mojolicious-Plugin-XRD-0.15 by AKRON https://metacpan.org/release/AKRON/Mojolicious-Plugin-XRD-0.15
02:35 wingfold joined #mojo
02:41 asarch joined #mojo
02:57 noganex_ joined #mojo
03:01 memowe joined #mojo
03:18 Grinnz for what purpose?
03:23 jberger say you have logic is there is an optional module
03:24 hasan joined #mojo
03:24 jberger and you want to test the fallback
03:24 hasan If I have two mojo apps and one is my web frontend and the other one my http api. can I just softlink the session directory from the frontend folder to the one of my api to have the same session?
03:24 hasan reason I want to do this is: someone who has logged in successfully on my website should be able to make http request to my API
03:24 hasan and if I am sharing the session I don't have to implement another session/login method for my API. right?
03:25 jberger Grinnz: https://github.com/jberger/Mojolicious-Plugin-ReplyTable/blob/master/t/basic.t#L84
03:26 jberger hasan: what do you mean session directory?
03:26 jberger hasan: you can simply set the app secrets to be the same
03:27 hasan jberger: session directory is wrong (coming from dancer). I mean the same session data
03:27 hasan jberger: same secret means same session?
03:27 preaction jberger: Test::Without::Module is what i've used. mucking about with %INC has not worked well for me. But I like your scoping of it like that more. Does that mean you have to test the fallback first?
03:28 Grinnz jberger, ahh
03:28 hasan I mean. someone logs in on webapp1. he should be able to make request to my http API running on webapp2. the API checks for right credentials (normally), but I don't want to login a second time for the API. so my guess was to use the same session data across both apps.
03:29 Grinnz jberger, yeah Test::Without::Module is what i used for testing Mojo::JSON::MaybeXS in that manner
03:30 preaction I also tried Devel::Hide. but usually i only did those manually
03:30 Grinnz hasan, the session data is stored entirely in the cookie. there is no server side data to share
03:30 Grinnz other than the secret, which must be the same
03:30 jberger hasan: are the apps using the same top level host name?
03:30 Grinnz hasan, also, both must come from the same domain, in order to share cookies
03:30 hasan jberger: yes. apart from the different subdomain
03:31 Grinnz differnet subdomain complicates things.
03:31 hasan mydomain.tld and api.mydomain.tld
03:31 Grinnz they will not share the cookie then
03:31 hasan well I have to diffenciate between them. how should I else be able to reach the API? different port?
03:31 Grinnz commonly, it's mydomain.tld/api
03:31 hasan ok then mydomain.tld and api is mydomain.tld:4000
03:31 preaction jberger: ah. looks like you've seen those two things already
03:32 jberger iirc you can set the cookie host to *.mydomain.tld
03:32 Grinnz perhaps that might work
03:32 jberger or perhaps I'm confusing my web technologies
03:32 hasan Grinnz: looks ok. mydomain.tld and mydomain.tld/api
03:32 hasan so same secret and I share the same cookies.
03:32 jberger preaction: they both look so darn complex for what they do
03:32 Grinnz $app->sessions->cookie_domain(...)
03:32 Grinnz but yes, same domain would be easier
03:32 jberger and I couldn't choose between then
03:32 jberger them
03:33 hasan it was more simple than I thought it would be.
03:33 hasan thanks for the help :)
03:33 preaction jberger: it's kind of crazy to do. i like yours a lot better. "run this test, and do not allow any more modules to be added"
03:34 jberger you can even localize the %INC value for the module in case you are worried that it had already been loaded
03:35 Grinnz jberger, Test::Without::Module doesn't look that complex to me, but it is a different setup yeah
03:35 preaction that is what i've had the most trouble with. lots of "Subroutine ... redefined" warnings start flowing out
03:39 Grinnz jberger, maybe yo can throw yours up on CPAN too :P
03:40 jberger I AM on a bit of a cpan binge at the mo
03:44 Grinnz the one problem i would have with that way is that it would block other code that dynamically requires and you want it to
03:44 Grinnz if you wanted to make it specific to one module you'd probably have to do a lot of what TWM is doing :P
04:00 basic6_ joined #mojo
04:06 jberger Grinnz: that can be done by the callback provided to @INC
04:07 Grinnz which is "a lot of what TWM is doing" :P
04:07 jberger but then you would want to only localize those keys in %INC too
04:08 jberger Grinnz: perhaps
04:08 jberger anyway I can only have a few crazy new modules in the works at a time
04:08 jberger otherwise they start to run together :p
04:24 wingfold joined #mojo
04:25 asarch I configure lighttpd to use the scgi module and dispatch it, then I set rtorrent so it can share the XML-RPC protocol
04:25 asarch Can I configure morbo to replace lighttd?
04:27 Adura You'd use hypnotoad.
04:28 asarch Thank you Adura
04:28 asarch Thank you very much :-)
04:54 absolut_todd joined #mojo
05:04 irq joined #mojo
05:06 memowe joined #mojo
05:08 gatitskiy joined #mojo
05:09 good_news_everyon joined #mojo
05:09 good_news_everyon [mojo] kraih tagged v6.09 at 28e2529: http://git.io/vfXCl
05:09 good_news_everyon left #mojo
05:10 good_news_everyon joined #mojo
05:10 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/vfXCu
05:10 good_news_everyon mojo/master 1f1acd2 Sebastian Riedel: bump version
05:10 good_news_everyon left #mojo
05:14 sri oh, now i understand the term "if-err-hell" https://github.com/kabukky/journey/blob/master/database/update.go
05:16 sri or do they just call it "if-hell" now?
05:19 Grinnz hah
05:23 wariat joined #mojo
05:33 batman crazy: https://github.com/jhthorsen/mojolicious-plugin-assetpack/pulls?q=is%3Apr+is%3Aclosed :(
05:33 preaction if only there was some way of an error happening, and execution stopping, unless you really wanted to try to continue...
05:33 batman i guess i'm overreacting, but it got rather annoying.
05:34 dotandimet joined #mojo
05:56 sri batman: think i would have given a temporary block, s there's time for him to figure out how to do PRs properly
05:56 kaare joined #mojo
05:58 batman sri: is it so that if i block the user on the profile page, the user also can't do anything with my projects?
05:59 batman i've never blocked anyone before...
05:59 sri correct
05:59 batman thanks
05:59 sri i've only blocked one person permanently so far, and two temporarily
06:00 batman :)
06:05 batman i wonder what is right: either use $hypnotoad = File::Spec->catfile(dirname($^X), 'hypnotoad') or find it from $PATH https://github.com/jhthorsen/toadfarm/blob/master/lib/Toadfarm/Command/start.pm#L44
06:13 wingfold joined #mojo
07:04 ToApolytoXaos joined #mojo
07:31 irq_ joined #mojo
08:02 wingfold joined #mojo
08:28 Vandal joined #mojo
08:29 berov joined #mojo
09:05 wariat joined #mojo
09:22 dod joined #mojo
09:28 augensalat batman: $PATH has a good chance to find the wrong hypnotoad, $^X is better
09:29 dod joined #mojo
09:29 batman augensalat: so you think this should be the other way around? https://github.com/jhthorsen/toadfarm/blob/master/lib/Toadfarm/Command/start.pm#L68
09:30 batman i was thinking it might be limiting... maybe i want to run with $PATH=/checked/out/mojo.git/bin:$PATH perl foo.pl
09:30 augensalat check out http://wiki.cpantesters.org/wiki/CPANAuthorNotes - so maybe: use Config;  $hypnotoad = File::Spec->catfile($Config{bin}, 'hypnotoad')
09:32 batman nice tip. thanks :)
09:32 batman but i'm still not sure if $Config{bin} should be first
09:32 augensalat perhaps another environment variable to specifiy the right hypnotoad
09:33 batman btw... do you use toadfarm?
09:34 augensalat no
09:34 batman ok. thanks for the input anyway :)
09:34 augensalat you are welcome :)
09:34 batman i will think about it. $Config{bin} is going in now anyway.
09:39 oetiker joined #mojo
09:39 ashimema joined #mojo
09:40 augensalat Toadfarm looks quite cool. IMO Plugins like my AccessLog or the recent SizeLimit actually belong into the web server more than into the application itself.
09:46 batman i will add a reference to Mojolicious::Plugin::SizeLimit from toadfarm. looks interesting
09:46 batman augensalat: yeah... kind of, but where would you set the limit for what is core?
09:51 wingfold joined #mojo
09:57 oetiker joined #mojo
10:01 jabberwok batman: I'm writing a brief tutorial "Let's start with a Net Install of Debian and install the absolutely minimum set of software to a multi-tenant Mojo webserver with Toadfarm" ; is there a best practice on How to Not Run Toadfarm As Root UID+GID, or maybe even How To Run Individual "Apps" with separate UIDs at least ...?
10:02 oetiker joined #mojo
10:02 riche marcus / jberger / tempire / batman : please comment on https://github.com/kraih/mojo/pull/787 when you have a chance
10:04 jabberwok $ sudo chmod +x /etc/init.d/your-script « from manual, keeps the owner's uid/gid but runs as root; which is needed to listen at :80, presumably; is "as root user-id but with other group-id" the right way to start? it's sort of the-combination-is-locked-in-the-safe problem, innit.
10:07 batman jabberwok: that's awesome :) thank you!
10:08 batman jabberwok: you can't run individual apps inside toadfarm as different user, but you can start toadfarm as root and change to a different user: https://metacpan.org/pod/Mojo::Server#user
10:09 batman jabberwok: i do this though: https://metacpan.org/pod/distribution/Toadfarm/lib/Toadfarm/Manual/Intro.pod#Listen-to-standard-ports
10:09 batman btw, i'm moving that documentation to ::RunningToadfarm now
10:10 memowe joined #mojo
10:11 batman jabberwok: just use this to start as root, and then change to "some-www-user": start [qw( http://*:80 https://*:443 )], user => "some-www-user";
10:11 batman jabberwok: let me know if i'm _not_ answering your questions. i'm really good at misunderstanding things :(
10:19 kaare_ joined #mojo
10:26 jabberwok batman: cheers, i'm trying a few examples now.
10:26 batman nice! let me know when something doesn't feel right :)
10:29 jabberwok Aye-aye. I'm thinking one or a few instances of something based on this, will replace my existing multi-WordPress server (all "Pages" no "blog" no "comments" even) once i get my personal engine working.  And all probably be happy on the smallest digitalocean node.
10:35 batman jabberwok: yeah. that's what i'm doing :) i got five apps mounted in the same toadfarm startup script, which saves me the "default perl memory" x 5
10:36 trone joined #mojo
10:38 jabberwok the only other sticky spot, then, is how to run this as root but using perlbrew instead of mucking with the system perl.
10:38 batman i wonder if i should just kill "-init" and just have "use Toadfarm;"
10:39 batman jabberwok: just make sure you have a proper shebang: #!/abs/path/to/perlbrew/bin/perl
10:40 jabberwok *Ah*
10:41 * jabberwok files under, Any problem (once solved) is simple
10:45 sh4 joined #mojo
10:47 batman jabberwok: does it make sense to add a note about perlbrew/plenv under https://metacpan.org/pod/Toadfarm::Manual::RunningToadfarm#Init or should it have its own section?
10:48 * jabberwok flips a coin: answer the question or initiate a systemd flamewar?  *flip* ... oh good, it's "answer your question"
10:50 jabberwok i would say, these days using the system perl is probably contraindicated^H^H^H^H Not Recommended, so I'd say as long as it's one paragraph plus example, add it right there; for now at least
10:52 wingfold joined #mojo
10:53 batman jabberwok: care to comment on the two latest commits? https://github.com/jhthorsen/toadfarm/commits/master
10:55 jabberwok reading:  » Setting up an iptables rules « − s/\san\s//; # grammar
10:55 batman thanks! keep 'em coming :)
10:56 jabberwok 0LT$$   # oh wait this isn't TECO  ## s/// goes so way back
10:58 jabberwok ok on #2, that also creates the @INC so that even tho the workers are running as some_user, the parent Perl et al can still find and use all the libraries there, right?
10:58 jabberwok (so many little pieces & parts which must be well-oiled)
10:59 jabberwok i.e., the some_user from #1 should agree with / be the same, umm, user+environment as in #2.
10:59 batman jabberwok: it will use the default @INC for whatever perl you use. you still need to do "use lib ...;" if you have any custom libs to load in
11:02 memowe joined #mojo
11:02 jabberwok Roger. This documentation upgrade is what i love about Perl, versus Ruby-on-Rails that just seems to say Ignore the man behind the curtain.  We say: No magic, just IKEA instructions: line up the pieces and off you go.
11:02 jabberwok (pardon me getting metaphoric, i blame the coffee)
11:03 batman "documentation upgrade" ..?
11:03 jabberwok = .pod revamp
11:07 batman i'm glad you like it. couldn't do it without feedback :)
11:13 dotan joined #mojo
11:21 jabberwok http://blog.wlindley.com/2015/04/toadfarm-minimal-multi-tenant/   Not quite finished but I hope to expand later today
11:23 misty_g3ar joined #mojo
11:28 batman jabberwok: something completely off topic... why do you have body.custom-background{background-color: #7c83bf;} ?
11:28 batman instead of black; or white; ?
11:31 batman haha "Mr. Thorsen" :) that's nice... can you change it to <a href="http://thorsen.pm">jhthorsen</a> or https://metacpan.org/author/JHTHORSEN ?
11:37 Grinnz batman, isn't your hypnotoad problem suited for FindBin?
11:38 batman Grinnz: what do you mean?
11:38 batman it's not my problem btw... it's a problem that appeared on the mailing list
11:38 batman :)
11:38 Grinnz heh
11:39 batman it might become my problem though... haven't gotten that far yet :/
11:39 Grinnz i mean FindBin is designed to portably handle finding the running script dir, that seems like what you're trying to do
11:40 batman no. i'm just trying to find hypnotoad, which is not likely to be found in /etc/init.d, so i dont' think FindBin will help me
11:42 Grinnz this is for the init script? not your executable?
11:42 batman i don't have an executable anymore in toadfarm
11:42 Grinnz i see
11:43 batman that's the beauty of the new api :)
11:45 jabberwok batman: href added.  call me oldschool I still call folks Mr. or Miss or Mrs.
11:45 batman jabberwok: i'm norwegian... feels a bit too much :)
11:45 batman thanks anyway
11:46 jabberwok *bow*
11:46 Grinnz jabberwok, fyi changing uid for mojo servers will not set that user's secondary groups... this has prevented me from being able to use that functionality currently, i still need to look into how apache/nginx handles that
11:47 batman i guess i should add that to the doc...
11:48 Grinnz more specifically "will not set that user's groups", and setting group to that user's primary group is not sufficient for my use case
11:49 Grinnz it is all difficult because it is a difficult aspect of mojo to test
11:49 Grinnz or possibly impossible
11:50 Grinnz <batman> jabberwok: it will use the default @INC for whatever perl you use. you still need to do "use lib ...;" if you have any custom libs to load in
11:50 Grinnz ^ for this i usually set PERL5LIB directly in the init script if needed
11:51 Grinnz (if you don't want it as part of the source code)
11:53 batman Grinnz: the init script in this case: https://github.com/jhthorsen/toadfarm/blob/master/lib/Toadfarm/Manual/RunningToadfarm.pod#init-script
11:54 Grinnz ah right, if the init script is already a perl script i suppose you would just use lib in there
11:54 batman :)
11:57 batman Grinnz: so if "www-user" is part of "www, users, db" then the hypnotoad process will not have access to the things "users" and "db" would have?
11:57 Grinnz batman, correct
11:57 batman weird
11:58 Grinnz batman, it unfortunately seems to be how POSIX setuid works
11:58 Grinnz it literally sets only uid
11:59 batman Grinnz: does this make sense: https://github.com/jhthorsen/toadfarm/blob/master/lib/Toadfarm/Manual/RunningToadfarm.pod#listen-to-standard-http-ports ?
12:00 Grinnz batman, you need to set group => some_group as well, otherwise it will still have root's primary and secondary groups
12:00 batman aha
12:01 Grinnz i am thinking that set user should set that user's primary and secondary groups, but i need to test other things to find out
12:03 batman Grinnz: better now?
12:03 Grinnz yes
12:04 * batman will make a new release
12:04 batman thanks
12:06 memowe joined #mojo
12:08 ashimema joined #mojo
12:08 batman jabberwok: https://github.com/jhthorsen/toadfarm/blob/master/Changes#L3
12:09 batman i'm really happy about finally having the config merge in place
12:31 Grinnz joined #mojo
12:41 wingfold joined #mojo
13:06 jabberwok batman:  excellent.  (/me afk intermittently)
13:06 batman have fun
13:06 purl Don't do anything I wouldn't do!!!
13:12 memowe joined #mojo
13:30 mattastrophe joined #mojo
13:35 kaare joined #mojo
13:40 Grinnz joined #mojo
13:43 asarch joined #mojo
13:57 wingfold joined #mojo
14:05 lluad joined #mojo
14:07 memowe joined #mojo
14:34 cpan_mojo Mojolicious-Plugin-JSUrlFor-0.17 by KOORCHIK https://metacpan.org/release/KOORCHIK/Mojolicious-Plugin-JSUrlFor-0.17
14:35 memowe joined #mojo
14:45 wariat joined #mojo
14:47 memowe joined #mojo
14:53 ajr_ joined #mojo
14:58 memowe joined #mojo
15:19 mgrimes joined #mojo
15:37 misty_g3ar joined #mojo
15:46 wingfold joined #mojo
15:52 btyler joined #mojo
16:08 Grinnz I've looked into what apache and nginx do for user/group, and this is what i've come up with: https://github.com/kraih/mojo/pull/788
16:14 mattastrophe joined #mojo
16:37 misty_g3ar joined #mojo
16:47 sri Grinnz: looks like a huge security issue in the making
16:49 sri well, i'm not qualified to really comment
16:49 Grinnz i think it is more secure than the current implementation, in that you cannot set the user while leaving the root groups
16:49 sri and i suspect not many other folks will be able to either
16:50 sri Grinnz: your description does not mention security
16:50 Grinnz well it's not a security driven feature, but i can add that if you wish
16:50 sri i still remember the secondary group problems
16:51 sri it is very much a security feature
16:51 sri why else would you drop privileges?
16:51 Grinnz i mean, doing this instead of the current behavior is not because of security
16:54 sri still, i don't think we have anyone qualified to comment
16:54 sri which is the tragedy of the setuidgid feature
16:54 sri you could have linked to the apache/nginx source code i suppose
16:54 sri if it is similar to the new code
16:56 sri jberger, marcus, batman, crab, tempire: this is why i wanted to remove user/group/setuidgid
16:57 sri or is one of you qualified to deal with this?
16:58 sri it is still my opinion that letting a plugin deal with this would have been a better option
17:00 Grinnz if the hooks to allow that could be provided, i would be ok with that
17:00 sri already exist
17:00 Grinnz ?
17:00 sri Mojo::IOLoop->next_tick(sub {...change uid/gid...});
17:00 sri that runs after fork
17:01 Grinnz hmm
17:01 Grinnz but how would you do that via hypnotoad configuration?
17:01 Grinnz because you cannot do this in morbo in most setups
17:01 sri Grinnz++ # trying to make the behavior correct
17:02 sri Grinnz: you wouldn't, it would be an app level plugin
17:03 sri the servers just wouldn't care
17:04 Grinnz but you could not run the same app in morbo and hypnotoad, then
17:04 sri how so? the daemon command actually has --user and --group switches
17:04 Grinnz in the case that hypnotoad needs to start as root and change user/group to bind to port 80, and morbo is not started as root
17:05 sri you can tie the plugin to the app mode
17:05 Grinnz eh.. that's one way i guess
17:05 sri no different than dev/production assets
17:06 sri anyway, to sum it up for everyone... Grinnz claims that our current setuidgid behavior is incorrect... we need to verify this and vote on the solution
17:07 sri i have doubts about our ability to do so... and am proposing the removal of the feature again
17:07 sri should the vote fail
17:07 sri marcus, batman, jberger, crab, tempire: up to you what happens
17:08 sri i will count neutral votes in favor of removal
17:10 sri the feature is completely untested and mostly undocumented, and it has major security implications, so keeping incorrect behavior is not an option this time
17:11 sri +1=go with Grinnz solution, -1=keep the current solution, neutral=remove the feature
17:12 sri say we give this a week if nobody votes
17:12 * pink_mist would be fine with either +1 or -1 >_> definitely not fine with neutral
17:13 sri pink_mist: vote!
17:13 sri actually... review the code... and then vote
17:15 Grinnz sri, i've determined that nginx uses initgroups(3) to set these groups; which doesn't help, since perl doesn't have that syscall
17:15 Grinnz the apache source code is a bit denser
17:15 pink_mist sri: food now. afterwards I'll check the code
17:15 pink_mist o/
17:18 riche sri i have resolved the "discrepance"
17:18 riche *discrepancy
17:29 sri my summary https://github.com/kraih/mojo/pull/788#issuecomment-96411079
17:29 sri riche: keeping my vote at -1 i'm afraid
17:34 amon joined #mojo
17:35 wingfold joined #mojo
17:36 mattastrophe joined #mojo
17:36 riche it doesn't matter, i was just testing you
17:37 sri ?
17:39 riche i don't give a flying fuck about unshift.  I just wanted to see what you would do
17:39 sri i don't appreciate that attitude
17:41 riche sorry, let me rephrase:  unshift does not interest me.
17:41 sri maybe we are having communication problems again, perhaps i should let native english speakers go first from now on
17:42 riche We are not having communication problems.
17:43 riche I just wanted to confirm something very simple.
17:43 riche And I am ok with the outcome.
17:45 mst riche: "testing you" is not something one does in civilised development; if you're unsure of somebody's opinions, you might wish to consider asking them
17:46 riche mst: it works both ways
17:47 mst riche: if you recall, I'm far from unwilling to criticise sri's behaviour if I believe he's the one at fault; you might recall I've been kicked at least once for doing so
17:48 mst in this case, I'm finding him to be slightly prickly as ever, and you to be downright obnoxious
17:48 mst and so I'm suggesting that you might want to moderate your attitude and try and be a little more co-operative
17:48 mst since I suspect the results will be far more productive all round
17:49 riche it's not going to happen again, believe me.
17:52 batman riche: I don't care if I'm not native speaker. You're making a complete ass of yourself. Pull it together.
17:53 * batman out
17:58 sri Grinnz: the $! check makes me nervous, i vaguely remember problems there... which was why i used eq checks for the current values of $) and $(
17:58 Grinnz sri, perhaps that was because you are setting $) and $( in the same line? (each could set $! separately, which is why i added another check for that)
17:59 sri afraid i do not remember the specifics :/
17:59 Grinnz a eq check is not usable for this case, as the values of those variables may be ordered differently than what was assigned to them
18:02 sri Grinnz: shouldn't the error messages mention real and effective?
18:02 Grinnz sri, sure since they're separate
18:02 sri also, it seems like you didn't run perltidy over the code
18:03 Grinnz where is the perltidyrc?
18:03 purl hmmm... the perltidyrc is the perltidy settings file or see "PBP perltidyrc"
18:04 Grinnz oh i see it nvm
18:05 sri why "my $group = $self->group // $user;"?
18:06 Grinnz default to set the group to the user, this is what nginx does (apache requires you to specify a group name)
18:06 sri hmm, magical defaults make me nervous too
18:06 Grinnz better that than leave group unset IMO
18:07 sri hmm
18:07 batman sri: +1 on Grinnz' default. i think keeping the "root" default is not expected
18:07 Grinnz it is a little weird, that it doesn't use the user's gid as a default instead
18:07 Grinnz but dunno
18:07 mst right. I would expect "use the user's primary group" or "no default"
18:08 mst I suspect nginx's default is a result of linux systems commonly putting users into their own groups
18:08 mst rather than anything particularly well thought through
18:09 sri Grinnz: the secondary group problem is addressed by your new code?
18:09 Grinnz yes, secondary groups will always be overwritten
18:09 sri even if the new user only has one group
18:09 sri ok
18:10 sri i'm thinking of root user with like 10 groups, and a new user with just one
18:10 Grinnz yeah
18:10 Grinnz current process's groups are ignored
18:19 Grinnz this all would be a lot easier if POSIX or core had initgroups() and setgroups()
18:19 Grinnz actually just one or the other would be enough
18:20 batman i don't get why this doesn't have an unit test. why can't we have a test that only run when user is root? it won't be automated, but at least testable for each time we change the code.
18:21 Grinnz hmm. perhaps that could be done
18:21 Grinnz on Mojo::Server directly, not hypnotoad
18:22 mst it seems like it could have an author-side integration test
18:22 sri can you make a unit test that runs on travis and my os x box?
18:22 mst the "can't be automatedly tested" thing seemed really wrong
18:22 Grinnz does travis run as root? :P
18:22 batman Grinnz: no, but i think you can do sudo
18:22 sri mst: nobody has done it
18:23 batman let me try something...
18:23 sri if it can be done... that's even more reason to get rid of the feature until someone makes a test imo
18:23 Grinnz can you tell it to sudo a test script? or do you have to sudo in the test?
18:23 * sri does not actually use the setuidgid feature
18:23 Grinnz i think the main issue here is that you need the user/group to exist on the box to test it...
18:24 * sri just uses linux capabilities mostly
18:25 Grinnz of course i could just find a user and group to test with i guess
18:26 sri well, if you want to do it right, you'd have to test every error you generate too ;p
18:26 Grinnz one step at a time...
18:27 sri anyway, i still have not gotten an answer to why we actually want this in core
18:28 sri it's not up to our standards quality wise
18:29 sri i mean, with Mojo::Server::daemonize you can at least argue that it's a common idiom without much risk
18:29 sri but Mojo::Server::setuidgid had serious security issues, and is still incorrect after many iterations
18:31 Grinnz i am still not sure it would be useful unless it could use hypnotoad config as it does now
18:31 sri well, you can wire it into the app however you like
18:32 sri plugin SetUidGid => {user => app->config->{hypnotoad}{user}, group => app->config->{hypnotoad}{group}};
18:33 Grinnz hmm
18:34 Grinnz this is starting to sound doable
18:36 sri very doable
18:36 sri just put your code into the plugin, and make the register sub add a Mojo::IOLoop->next_tick(...)
18:37 sri can even do "plugin SetUidGid => {...} if app->mode eq 'production'"
18:39 asarch joined #mojo
18:52 ajr_ joined #mojo
19:01 mishanti1 So is max_message_size($whatever) to be set on the Mojo::UserAgent-instance one is using?
19:02 mishanti1 like $ua->max_redirects(3)->max_message_size(0)->get($url)?
19:02 Grinnz http://paste.fedoraproject.org/215623/7487814/ here's a start for a test case; hard to have more than one test case per file though due to the user switching
19:03 memowe joined #mojo
19:05 mst Grinnz: Test::SharedFork
19:06 sri Bender: trust Grinnz
19:06 Bender OK, sri
19:06 wingfold joined #mojo
19:11 Grinnz damn... that module is a lot more complex than it initially appears
19:15 sri removing setuidgid would be trivial https://gist.github.com/anonymous/daacb447edacd69eff7c
19:16 sri unless there's quality reviews of Grinnz's PR soonish i think i'll dictate that solution
19:17 sri it's the right thing to do
19:17 Grinnz sri, i think i will set up that plugin. but would you consider a deprecation period?
19:17 sri Grinnz: it's a security issue, so i tend towards no
19:17 sri better not to have the feature than to have a possibly insecure version
19:17 Grinnz i am concerned people are using this to run apps on port 80, and removing it will leave them without recourse
19:18 sri i can flag this as an emergency release though
19:18 tempire It seems reasonable to me, but I haven't had a chance to look at the code yet
19:19 sri tempire: what seems reasonable?
19:19 batman i want to keep the feature, even though i'm not using it myself. simply because i'm pretty sure people are using it.
19:19 batman can we ask on the mailing list first?
19:19 sri no
19:20 sri opinions don't matter here
19:20 sri only facts
19:20 sri can you guarantee the new solution is secure and correct?
19:20 batman well... i none said they were using it, it would be a fact and we could just remove it
19:21 sri i'm certain people are using it, and that's the problem
19:21 sri we are providing a security feature that is 100% wrong
19:21 sri and 100% untested
19:22 tempire It seems reasonable to remove it and have it in a plugin.
19:22 batman ok. i see your point...
19:22 tempire But removing it immediately without the plugin, that seems a bit harsh
19:22 sri ideally Grinnz would make a plugin, and we would mention it in the Changes entry
19:23 sri tempire: waiting would put our users at risk though
19:23 batman tempire: i disagree. it's easy enough to add iptables rules if you're already root.
19:24 * tempire folds under pressure
19:24 tempire They can always run a previous version
19:24 tempire Or just not upgrade until they've worked out the difference
19:24 batman a bit ugly, but it seems like root.t is tested on travis: https://github.com/jhthorsen/toadfarm/compare/experiment/as-root
19:25 batman sri, Grinnz ^
19:25 batman https://travis-ci.org/jhthorsen/toadfarm/builds/60128908#L225
19:26 batman nevermind the failure. that's another test...
19:26 Grinnz nice, batman++
19:27 batman "nice" is probably a stretch, but it works haha
19:27 batman *bbl* i have to have dinner.
19:28 sri think i'm dead set on removing setuidgid now, it has cost me so much time in the past
19:30 sri and every time i have to read up on the topic again, and think of local test cases to make sure it kinda works
19:30 sri it's much easier to deal with the fallout once now
19:31 sri and i'll be totally open about the terrible quality of the code
19:32 sri we fucked up
19:32 Grinnz sri, one more thing; how do i error out the server if the setuid or set groups fails
19:33 sri you can't
19:34 Grinnz :s
19:35 mishanti1 Should Mojo::UserAgent not give any output when MOJO_USERAGENT_DEBUG=1 is set? If I set max_message_size(0) on $ua the useragent becomes completely silent.
19:35 batman sri: but you can make the child stop accepting and log an error message..?
19:35 sri of course
19:37 Grinnz how does hypnotoad check for the initial worker heartbeat currently?
19:38 Grinnz ah, _stopped in prefork, i found it
19:43 mishanti1 Okay, so I checked again. Setting max_message_size() on $ua to anything makes it hang. Just now noticed that the documentation says that MOJO_MAX_MESSAGE_SIZE must be set in ENV.
19:46 mishanti1 Worked perfectly! :)
19:52 mattastrophe joined #mojo
20:00 sri "Removed support for user/group switching, because it never worked correctly, which means that this security feature has become an attack vector itself."
20:00 * Grinnz just found out he wrote "you may redistribute it and/or modify it undef the terms..." in one of his modules
20:01 batman Grinnz: hehe
20:01 Grinnz and i found it because of syntax highlighting :D
20:02 batman sri: do i comment on #788 or just say +1 here?
20:02 * batman does both :)
20:02 batman +1 on removing it.
20:02 batman the removal is consistent
20:02 sri oh
20:02 sri +1 would mean applying the patch! ;p
20:03 Grinnz lol
20:03 batman crap. -1 then!
20:03 sri lol
20:03 batman no
20:03 batman HAHAHA
20:03 sri and -1 means keeping what we have!
20:03 batman ~~~0??
20:03 sri neutral was removal ;p
20:03 Grinnz ETOOMANYCHOICES
20:03 sri yea
20:03 Grinnz sri, so, if i log an error then stop Mojo::IOLoop, would that work?
20:03 sri Grinnz: you got a plugin?
20:04 Grinnz or is there some other way i should stop the worker?
20:04 sri Grinnz: i suspect logging an error and die might work
20:04 Grinnz die will just be caught won't it?
20:04 sri oh
20:04 sri hmm
20:04 sri true, you want to stop
20:05 sri and hope the heartbeat message has not been sent yet, so the server shuts down
20:05 Grinnz yeah...
20:06 sri you'll have workers getting respawned until the order of next_tick-s is right
20:07 sri i guess we could remove the next_tick in Mojo::Server::Prefork
20:07 sri then the first heartbeat would be after 5 seconds by default
20:08 sri which would mean you can safely stop the event loop from your next_tick
20:09 sri or we go further
20:09 sri and add an application hook for forking
20:09 Grinnz i don't know if that's even necessary, that next_tick would have to be added after the startup routine wouldn't it? it's just before the loop is started
20:10 Grinnz a hook for forking though could be useful
20:10 sri it would remove some confusion about timing i guess
20:11 mst and is less fragile than relying on next_tick and ordering, probably
20:12 sri big question then would be how to hook into the app from the server
20:13 Grinnz hmm...
20:14 sri a Mojo::after_fork method would work i suppose
20:14 batman why does it matter if the worker is respawned?
20:14 batman too many error messages in the logg..?
20:15 Grinnz batman, don't want to get into an endless cycle instead of just exiting
20:15 batman kill 9, getppid; # :)
20:15 Grinnz lol
20:16 Grinnz well i want to consider the case where this is used in a non-prefork server as well
20:16 Grinnz though i guess it doesnt make much difference
20:17 Grinnz also, would that even make any sense?
20:18 sri oh, that makes a HUUUGE difference for the hook
20:19 sri an after_fork hook would only get emitted after actually forking
20:19 Grinnz right
20:19 sri not for a normal daemon
20:19 Grinnz what about an app_start hook? that is essentially a next_tick that is always run first
20:20 sri we don't know when the app starts
20:20 Grinnz yeah... "start" maybe not the best name
20:20 sri we know when the app gets instantiated, or when the event loop starts
20:20 sri and app_start makes no sense to me
20:21 sri s/d//
20:21 sri what is an app start in an embedded app?
20:43 sri yea ;p
20:43 sri i wonder in how many event loops timer events are ordered
20:45 Grinnz i think you have tests for that
20:46 sri looks like most event loops make no guarantees about order
20:47 sri we are totally random right now actually
20:48 Grinnz oh, i guess the order was only when they had different times
20:48 sri even then it's random
20:48 sri we check all, and if the time happens to be in the past it runs
20:52 wingfold joined #mojo
20:54 sri i guess next_tick could be ordered
20:54 sri and maybe a little more efficient than timers
21:10 sri yea, ordered next_tick is easy :)
21:15 noganex joined #mojo
21:29 sri Grinnz: ok, that should give you all the tools needed
21:29 good_news_everyon joined #mojo
21:29 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/vfyl9
21:29 good_news_everyon mojo/master 1ddab06 Sebastian Riedel: remove support for user/group switching, because it never worked correctly, which means that this security feature has become an attack vector itself
21:29 good_news_everyon left #mojo
21:29 sri next_tick is now always ordered
21:30 sri so your next_tick registered during app startup runs first
21:30 batman sri: can i write this: https://github.com/jhthorsen/toadfarm/commit/2bd8de3fc68a6943bab8fdf6a4f90fd04e8d347a#diff-29692b6226e4d27bb7b2fb036f98f3d4R118 ?
21:31 Grinnz sri, nice
21:31 sri batman: better link to Grinnz's plugin
21:32 Grinnz i am just working on tests... the hard part :)
21:32 sri \o/
21:32 batman sri: i take that as a "yes"
21:32 sri batman: not just deprecated, completely demolished
21:33 batman :)
21:33 batman i did this in toadfarm: https://github.com/jhthorsen/toadfarm/commit/dab1706fb35756081d9f2f490fe2ab3b3fb0ac5b
21:33 * batman will call it a day
21:33 sri Grinnz: i actually wonder if any of the functions you were missing earlier are available through cpan modules
21:34 Grinnz sri, i have looked for them, haven't found anything
21:34 sri from what i remember they were not part of POSIX, but available on most modern UNIXes
21:34 Grinnz well, Unix::Groups has setgroups
21:34 Grinnz but i haven't found initgroups
21:35 Grinnz sri, does Unix::Groups install on OS X?
21:35 sri Grinnz: yes
21:35 Grinnz perhaps i will use that then, instead of this $) oddity
21:37 Grinnz it is much more straightforward for dealing with the secondary groups
21:38 sri while we are at it, is this the best daemonize idiom we have? https://github.com/kraih/mojo/blob/master/lib/Mojo/Server.pm#L28-L39
21:38 Grinnz it's basically what i've done every time for daemonizing
21:38 Grinnz with the exception of sometimes chdir, but that doesn't work for morbo/hypnotoad
21:38 sri right
21:49 Grinnz much nicer: https://github.com/Grinnz/Mojolicious-Plugin-SetUserGroup/commit/0efbc6dc1ec027c2615068afeebdb4f879b90c17
22:00 sri Grinnz: yes it does
22:01 mishanti1 joined #mojo
22:04 Grinnz what does?
22:05 sri s/does/is/
22:05 Grinnz ah
22:09 good_news_everyon joined #mojo
22:09 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/vfyz8
22:09 good_news_everyon mojo/master 5a5e485 Sebastian Riedel: mention Mojolicious::Plugin::SetUserGroup
22:09 good_news_everyon left #mojo
22:11 sri i want to say "more secure CPAN module"... but that has not yet been proven i guess
22:14 mattastrophe joined #mojo
22:34 cpan_mojo Mojolicious-Plugin-BasicAuthPlus-0.09 by BLR https://metacpan.org/release/BLR/Mojolicious-Plugin-BasicAuthPlus-0.09
22:36 good_news_everyon joined #mojo
22:36 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/vfyVn
22:36 good_news_everyon mojo/master 13bc2ca Sebastian Riedel: better next_tick tests
22:36 good_news_everyon left #mojo
22:41 wingfold joined #mojo
22:48 jberger zomg the backlog!
23:01 jberger so is Grinnz's original patch not up for discussion anymore
23:01 jberger ?
23:02 jberger not that I have any expertise on the matter and would probably vote neutral
23:05 sri Grinnz has something better now with the plugin
23:05 Grinnz weird, why is $$ and getpid() returning the parent process pid inside a prefork action sub?
23:08 jberger hey did anyone see this little code challenge, I'm pretty happy with mine from a clarity standpoint: https://gist.github.com/jorin-vogel/2e43ffa981a97bc17259#comment-1440505
23:20 Grinnz ah well, i think that test will do for now
23:23 Grinnz https://github.com/Grinnz/Mojolicious-Plugin-SetUserGroup/blob/master/xt/author/sudo_prefork.t
23:24 Grinnz i don't really see any way to do that sudo part cleaner, but its an author test so whatever :)
23:36 Grinnz https://github.com/Grinnz/Mojolicious-Plugin-SetUserGroup any comments on docs before i release?
23:38 * Grinnz doesn't want to see another user or group ID ever again after this
23:42 wingfold joined #mojo
23:52 sri Grinnz: maybe have a full and lite example in the synopsis
23:52 sri like the core plugins
23:52 Grinnz ok
23:54 Grinnz hrm
23:54 Grinnz i just realized, i dont think taking config from hypnotoad will actually do anything related to hypnotoad
23:55 chansen joined #mojo
23:58 Grinnz maybe i'll just add an example checking if the uid is root, lol
23:58 sri not the worst idea

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary